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UNITED STATES GOVERNMENT 


Memorandum 
OC-034-12 
DATE: 3 May 2012 
REPLY TO 
ATTN OF: SID Oversight & Compliance 
SUBJECT: (U//FOUO) NSAW SID Intelligence Oversight (IO) Quarterly Report — First Quarter Calendar 
Year 2012 (1 January — 31 March 2012) - EXECUTIVE SUMMARY 
TO: SIGINT Director 
I. (U) Overview 


(U//FOUO) The attached NSAW SID Intelligence Oversight (IO) Quarterly Report for the First Quarter 
Calendar Year 2012 (1 January — 31 March 2012) identifies NSAW SID compliance with E.O. 12333, DoD 
Regulation 5240.1-R, NSA/CSS Policy 1-23, USSID SP0018, and all related policies and regulations. 


(U//FOUO) Detailed incident narratives are provided in the attached annexes. The number of incidents in 
each category and a reference to the annex related to each incident category are contained in the body of the 
report. 


(U//FOUO) As part of SID Oversight and Compliance’s (SV) charge to provide comprehensive trends and 
analysis information as it pertains to incidents of non-compliance, this Executive Summary provides analysis 
and evaluation of incidents reported throughout the current quarter to better address the “whys” and “hows” 
behind NSAW SID’s compliance posture. 


(U//FOUO) Section II, Metrics, has been broken down into several sub-sections: metrics and analysis of 
NSAW SID-reported incidents by authority, type, root cause, and organization. Also included is an assessment 
of how incidents were discovered (i.e., methods of discovery) for SID-reported incidents (see Figure 7). 


(U//FOUO) Significant Incidents of Non-compliance and Report Content follow in Sections III and IV, 
respectively. 


(S//REL) Overall, the number of incidents reported during 1QCY12 increased by 11% as compared to the 
number of incidents reported during 4QCY11. This included a rise in the number of E.O. 12333 incidents, as 
well as for incidents across all FISA authorities. The majority of incidents in all authorities were database 
query incidents due to human error. Of note, S2 continued to be the NSAW SID organization with the largest 
number of reported incidents (89%), although S2 experienced an overall decrease in reported incidents. SV 
noted an overall improvement in timeliness regarding 1QCY12 IO Quarterly Report submissions from the SID 
elements. 
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Il. (U) Metrics 


a. (U//FOUO) NSAW SID-reported Incidents by Authority 


(TS//SI//REL TO USA, FVEY) Figures 1a-b compares all categories of NSAW SID-reported incidents 
(collection, dissemination, unauthorized access, and retention) by Authority for 2QCY11 -— 1QCY12. From 
4QCY11 to 1QCY12, there was an overall increase in incidents of 11%. There was also an increase of 11% for 
both E.O. 12333 and FISA incidents. The increase in incidents reported for 1QCY12 was due to an increase in 
the number of reported Global System for Mobile Communications (GSM) roamer' incidents, which may be 
attributed to an increase in Chinese travel to visit friends and family for the Chinese Lunar New Year holiday. 


(U//FOUO) Figure 1a: Table of the Number of NSAW SID-reported Incidents by Authority 


(U//FOUO) 


2QCY11 3QCY11 4QCY11 1QCY12 
E.O. 12333 396 390 601 670 
FISA 150 198 176 195 
TOTAL 546 588 777 865 
(U//FOUO) 


(U//FOUO) Figure 1b: Line Graph of the Number of NSAW SID-reported Incidents by Authority 
U//FOUO 
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(TS//SI//NF) FISA Incidents: As reflected in Figures 1a-b, during 1QCY12, NSAW SID reported a total 
of 195 FISA incidents, 185 of which were associated with unintentional collection. NSAW SID also reported 6 
incidents of unintentional dissemination under FISA authority and 4 incidents of unauthorized access to Raw 


1 (U//FOUO) Roaming incidents occur when a selector associated with a valid foreign target becomes active in the U.S. 
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SIGINT FISA data. Figure 2 illustrates the most common root causes for incidents involving FISA authorities 
as determined by SV. 


e 63% (123) of 1QCY12 FISA incidents can be attributed to Operator Error as the root cause, and 
involved: 
o Resources ( i.e., inaccurate or insufficient research information and/or workload issues (60); 
o Lack of due diligence (i.e., failure to follow standard operating procedures) (39); 
o Human error (21) which encompassed: 
= Broad syntax (i.e., no or insufficient limiters / defeats / parameters) (12); 
= Typographical error (6); 
= Query technique understood but not applied (2); and 
= Incorrect option selected in tool (1); and 
o Training and guidance (i.e., training issues) (3). 


(U//FOUO) The Resources root cause category accounted for the largest percentage of Operator Error 
incidents under FISA authorities for 1QCY12. Analysis identified that these incidents could be reduced if 
analysts had more complete and consistent information available about selectors and/or targets at the time of 
tasking and if analysts consistently applied rules for conducting queries. 


e 37% (72) of 1QCY12 FISA incidents can be attributed to System Error as the root cause, and 
involved: 
o System limitations (i.e., system lacks the capability to ‘push’ real-time travel data out to 
analysts, system/device unable to detect changes in user) (67); 
o System engineering (i.e., system/database developed without the appropriate oversight 
measures, data flow issues, etc.) (4); and, 
o System disruptions (i.e., glitches, bugs, etc.) (1). 


(U//FOUO) The System Limitations root cause category accounted for the largest percentage of System 
Error incidents under FISA authorities for 1QCY12. The largest number of incidents in the System Limitations 
category account for roamers where there was no previous indications of the planned travel. These incidents are 
largely unpreventable. Consistent discovery through the Visitor Location Register (VLR) occurs every quarter 
and provides analysts with timely information to place selectors into candidate status or detask. Analysis 
identified that these incidents could be reduced if analysts removed/detasked selectors more quickly upon 
learning that the status of the selector had changed and more regularly monitored target activity. This analysis 
indicates that continued research on ways to exploit new technologies and researching the various aspects of 
personal communications systems to include GSM, are an important step for NSA analysts to track the travel of 
valid foreign targets. 


Page 3 of 13 


TOP SECRET//COMINT//NOFORN 


TOP SECRET//COMINT//NOFORN 
(U//FOUO) Figure 2: 1QCY12 FISA Incidents — Root Causes 
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(TS//SI//REL TO USA, FVEY) Delayed Detasking FISA Incidents: As reflected in Figures 1a-b, during 
1QCY12, NSAW SID reported a total of 195 FISA incidents. 19 (10%) of the total FISA incidents were 
associated with detasking delays. Of the 19 delayed detasking incidents, 12 (63%) of these incidents occurred 
under NSA FISA Authority, 5 (27%) occurred under FAA 702 Authority, 1(5%) occurred under FAA 704 
Authority, and 1 (5%) occurred under FAA 705(b) Authority. Figure 3a illustrates the detasking delay incidents 
versus all other FISA incidents reported during 1QCY12. Figure 3b illustrates the detasking delay incidents by 
FISA Authority reported during 1QCY12. 


(U//FOUO) Figure 3a: 1QCY12 Detasking FISA (U//FOUO) Figure 3b: 1QCY12 FISA Incidents 
Incidents vs. All other FISA incidents by Authority — Delayed Detaskings 
U//FOUO U//FOUO 
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(TS//SI//REL TO USA, FVEY) As depicted in Figures 3a and 3b, of the 19 delayed detasking FISA 
incidents, 15 (79%) resulted from a failure to detask all selectors, 2 (11%) resulted from analyst not detasking 
when required, 1 (5%) resulted from partner agency error, and 1 (5%) resulted from all tasking not terminated 
(e.g., dual route). 


b. NSAW SID-reported Collection Incidents by Sub-Type and Authority 


(U//FOUO) Figures 4a-b depicts NSAW SID-reported collection incidents by Authority (E.O. 12333 and 
all FISA Authorities), and identifies the primary sub-types for those incidents. An explanation of the more 
prominent collection incident sub-types follows the graphs. 


(U//FOUO) Figure 4a: NSAW SID-reported Collection Incidents Under E.O. 12333 Authority 
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(U//FOUO) Figure 4a: During 1QCY12, NSAW SID reported a 39% increase of database query incidents 
under E.O. 12333 Authority. Human Error accounted for 74% of E.0.12333 database query incidents. 


(TS//SI//REL TO USA, FVEY) International Transit Switch Collection*: International Transit switches, 
FAIRVIEW (US-990), STORMBREW (US-983), ORANGEBLOSSOM (US-3251), and SILVERZEPHYR 
(US-3273), are Special Source Operations (SSO) programs authorized to collect cable transit traffic passing 
through U.S. gateways with both ends of the communication being foreign. When collection occurs with one or 
both communicants inside the U.S., this constitutes inadvertent collection. From 4QCY11 to 1QCY12, there was an 
increase of transit program incidents submitted from 7 to 27, due to the change in our methodology for reporting and 
counting of these types of incidents. (*See Annex G in SID’s 1QCY12 IO Quarterly Report for additional details 
regarding these incidents.) 
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(U//FOUO) Figure 4b: NSAW SID-reported Collection Incidents Under 
All FISA Authorities 
U//FOUO 
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(U//FOUO) Figure 4b: During 1QCY12, NSAW SID reported an increase of 9% of roamer incidents under 
all FISA Authorities. There was also a 260% increase in database query FISA Authority incidents during 
1QCY12. Human Error accounted for the majority of all FISA Authorities database query incidents (74%). 


(U//FOUO) Roamers: Roaming incidents occur when valid foreign target selector(s) are active in the U.S. 
Roamer incidents continue to constitute the largest category of collection incidents across E.O. 12333 and FAA 
authorities. Roamer incidents are largely unpreventable, even with good target awareness and traffic review, 
since target travel activities are often unannounced and not easily predicted. 


(S//SI//NF) Other Inadvertent Collection: Other inadvertent collection incidents account for situations 
where targets were believed to be foreign but who later turn out to be U.S. persons and other incidents that do 
not fit into the previously identified categories. 


(TS//SI//REL TO USA, FVEY) Database Queries: During 1QCY12, NSAW SID reported a total of 115 
database query incidents across all Authorities, representing a 53% increase from 4QCY11. E.O. 12333 
Authority database query incidents accounted for 84% (97) of the total, and all FISA Authorities database query 
incidents accounted for 16% (18). 


(U//FOUO) Figure 5 illustrates the most common root causes for incidents involving database queries as 
determined by SV. 


e 99% (114) of the 1QCY12 database query incidents are attributed to Operator Error as the root 
cause, and involved: 
o Human error (85) which encompassed: 
= Broad syntax (i.e., no or insufficient limiters / defeats / parameters) (55); 
= Typographical error (17); 
= Boolean operator error (6); 
= Query technique understood but not applied (4); 
= Not familiar enough with the tool used for query (2); and 
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= Incorrect option selected in tool (1) 
o Lack of due diligence (i.e., failure to follow standard operating procedure) (13) 
o Training and guidance (i.e., training issues) (9); and 
o Resources (i.e., inaccurate or insufficient research information and/or workload issues) (7). 


(U//FOUO) The remaining 1 database query incident can be attributed to System Error as the root cause 
and occurred due to a mechanical error with the tool. 


(U//FOUO) Analysis identified that the number of database query incidents could be reduced if analysts 
more consistently applied rules/standard operating procedures (SOPs) for conducting queries. 


(S//SI//NF) Auditors continue to play an important role in the discovery of database query incidents, 
identifying 70 (61%) of the 115 reported database query incidents. 


(U//FOUO) Figure 5: 1QCY12 Database Query Incidents — Root Causes 
W/FOUO 
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(TS//SI//REL TO USA, FVEY) Of the 115 database query incidents reported for 1QCY12, Figure 6 identifies 
the database involved and the associated percentage of the total. Databases considered to be Source Systems of 
Record (SSR) have been labeled as such. 


(TS//SI//REL TO USA, FVEY) Note that the total number of databases involved in the database query 


incidents in Figure 6 does not equal the number of database query incidents reflected in Figure 5 or in the 
1QCY12 SID IO Quarterly Report because a database query incident may occur in more than one database. 
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(U//FOUO) Figure 6: 1QCY11 Database Query Incidents — Database(s) Involved 
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(U//FOUO) NSAW SID-reported Incidents — Method of Discovery 


(U//FOUO) Figure 7 depicts the most prominent method(s) of discovery for incidents reported by NSAW 
SID elements for 1QCY12. As SV’s assessment of root causes matures, and as corrective measures are 
implemented, identification of how incidents are discovered will provide additional insight into the 
effectiveness of those methods. 


(U//FOUO) Figure 7: 1QCY12 Incidents — How Discovered 
U//FOUO 
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(U//FOUO) For 1QCY 12, of the 865 reported incidents, 553 (64%) were discovered by automated alert. 
444, (80%) of the 553 incidents that were discovered by automated alert occurred via the VLR and other 
analytic tools, such as SPYDER, CHALKFUN, and TransX. 


c. (U//FOUO) NSAW SID-reported Incidents by Organization 


(U//FOUO) Figure 8 illustrates the total 1QCY12 NSAW SID-reported incidents by primary SID Deputy 
Directorate (DD) level organization. S2, having the largest NSAW SID contingent of reported incidents, 
accounted for 89% of the total incidents for the quarter, a proportion consistent with the overall size of the S2 
organization. As compared to 4QCY11, S2 experienced an overall 8% reduction in incidents occurrences. 


(U//FOUO) Figure 8: 1QCY12 Incidents by NSAW SID Organization 
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(U//FOUO) Figure 9 provides a look into S2 (by Product Line) as the NSAW SID organization with the 
largest number of reported incidents. For 1QCY12, three Product Lines accounted for 72% of S2’s reported 
incidents. These Product Lines were: the and Korea Division (S2B) with 28% of the reported incidents, the 
International Security Issues Division (S2C) with 23% of the reported incidents, and the China, and the Office 
of Middle East & Africa (S2E) with 21% of the incidents. As compared to 4QCY11, this resulted in an increase 
of 16% for S2B, a reduction of 35% for S2C, and an increase of 9% for S2E. The number of incidents reported 
by the remaining seven Product Lines held relatively steady from 4QCY11 to 1QCY12. 
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(U//FOUO) Figure 9: 1QCY12 S2 Incidents by Product Line 


(U//FOUO) 
iat WS2A 32 
WS2B 213 
wS2C 174 
Os2D 61 
MS2E 159 
ES2F 17 
MS2G 25 
WS2H 29 
msz 60 
Total: 772 W S2J 2 
(U//FOUO) 


(U//FOUO) Figures 10a-b illustrates the operator related (Figure 10a) and system related (Figure 10b) 
root causes associated with the 772 incidents reported by S2. 30% of the incidents were due to operator related 
errors that resulted in an incident. 70% of the incidents were due to system related issues that resulted in an 
incident. 

(U//FOUO) Figure 10a: 1QCY12 S2 Incidents — Operator Related Root Causes 
(U//FOUO) 


0 
4% @Human Error 71 


E Information Resources 80 
E Lack of Due Diligence 68 


E Personnel Resources 2 


@Training&Guidance 9 


Total: 230 


(U//FOUO) 


(U//FOUO) 30% of the S2-reported incidents during 1QCY12 are attributed to Operator Error as the root 
cause, and involved: 


e Resources (i.e., inaccurate or insufficient research information and/or workload issues, and 
personnel resource issues) (82); 
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e Human error (i.e., selector mistypes, incorrect realm, or improper query) (71); 
e Lack of due diligence (i.e., failure to follow standard operating procedures) (68); and 
e Training and guidance (i.e., training issues) (9). 


(U//FOUO) Analysis found that analysts could reduce the number of incidents if there was more 
comprehensive research information available at the time of tasking as well as through better use of defeats, 
more careful review of data entry to avoid typographical errors and omissions, and by following SOPs more 
consistently. 


(U//FOUO) Figure 10b: 1QCY12 S2 Incidents — System Related Root Causes 
(U//FOUO) 
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(U//FOUO) 70% of the S2-reported incidents during 1QCY12 are attributed to system issues as the root 
cause, and involved: 
e System limitations (i.e., system lacks the capability to ‘push’ real-time travel data out to analysts, 
system/device unable to detect changes in user) (541); and 
e System engineering (i.e., data tagging, configuration, design flaws, etc.) (1). 


(TS//SI//REL TO USA, FVEY) System Limitations, the largest percentage of System Error root cause, can 
be attributed to situations where a valid foreign target is found roaming in the United States without indication 
in raw traffic. 


II. (U) Significant Incidents of Non-compliance 


(TS//SI//NF) Business Record (BR) FISA. As of 16 February 2012, NSA determined that approximately 
3,032 files containing call detail records potentially collected pursuant to prior BR Orders were retained on a 
server and been collected more than five years ago in violation of the 5-year retention period established for 
BR collection. Specifically, these files were retained on a server used by technical personnel working with 
the Business Records metadata to maintain documentation of provider feed data formats and performed 
background analysis to document why certain contain chaining rules were created. In addition to the BR 
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work, this server also contains information related to the STELLARWIND program and files which do not 
appear to be related to either of these programs. NSA bases its determination that these files may be in 
violation of docket number BR 11-191 because of the type of information contained in the files (i.e., call 
detail records), the access to the server by technical personnel who worked with the BR metadata, and the 
listed “creation date” for the files, It is possible that these files contain STELLARWIND data, despite the 
creation date. The STELLARWIND data could have been copied to this server, and that process could have 
changed the creation date to a timeframe that appears to indicate that they may contain BR metadata. 
Additional details regarding this incident can be found in the “Bulk Metadata FISA” Annex, ANNEX R 
(Item R1) in SID’s LOC Y12 IO Quarterly Report. 


(S//SU//REL TO USA, FVEY) Detasking Delay. Four selector: mained active after multiple 
indications were received that the target held a U.S. green ci arch 2012, a South Asia Language 
Analysis Branch (S2A51) senior linguist was preparing ivision) selectors for OCTAVE 
migration when it was discovered that the tasking record for showed that there were four selectors 
O O were in active status even though his tasking file indicated he held a U.S. green card as of 03 
October 2011. On 09 March 2012, the S2A51 senior linguist detasked = four selectors, and on 13 March 
2012, the S2A51 senior linguist requested the 881 cuts in NUCLEO! ection from those four 
selectors be purged. On 13 March 2012, a senior . eporting Branch 
(S2A52) researched S$2A52's locally held file of erson status and learned 
that an S2A52 analyst had indications in intercept on 09 September 201 might have a U.S. 
green card. It was also recorded in the same S2A52 file that S2A52 had submitted a request to the 
Department of Homeland Security (DHS: (N.B., the date of the S2A52 request to DHS was 
not recorded) and learned from DHS on 28 September 2011 that had obtained a U.S. green card as 
O 010. The S2A52 senior reporter then checked ANCHORY and discovered that S2A52 had 
issued 32 reports betwee 010 and 2011. On 14 March 2012, S2A5 submitted a 
request for Retroactive Dissemination Authority for the 32 reports which contained the name of 

The Customer Relationships, 
Information Sharing Services Branch (512) approved ISS/BDA-068-12 on 16 March 2012. Serialized 
dissemination of U.S. person information did occur. On 13 March 2012, the S2A51 senior linguist who 
found that these number S a not been detasked reminded the other two members 
Governmental Unified Targeting Tool (UTT) Group for S2A5 to check all S2A5 databases o 
officials who have U.S. (and Second Party person) status before submitting selectors for tasking. Additional 
details regarding this incident can be found in the Unintentional Collection under E.O. 12333 Authority 
Annex, “Collection as a Result of Tasking Errors or Detasking Delays”, ANNEX E (Item El) and in the 
“Unintentional Dissemination of U.S. Person Information Collected Under E.O. 12333, FISA, and FAA 
Authorities”, Annex M (Item M15) in SID’s 1QCY 12 IO Quarterly Report. 


= 


(C//REL TO USA, FVEY) Unauthorized Access. On 29 December 2011, a Cryptanalysis and Exploitation 
(CES)/Office of Target Pursuit (531174) Branch Chief discovered that CES personnel had likely been 
inappropriately granted access to NSA Establishment FISA data. Multiple external factors contributed to this 
situation. First, in 2002, RAGTIME was changed to encompass both NSA Establishment FISA and FBI FISA, 
but due to insufficient notice regarding this modification, CES continued to apply the earlier rule that 
RAGTIME applied only to NSA Establishment FISA data. Second, CES relied on the RAGTIME label in 
CASPORT for granting access to NSA Establishment FISA data but discovered that CASPORT does not 
accurately reflect NSA Establishment FISA briefing status. Third, CASPORT often lists NSA-FISA in the 
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“Oversight” section even though this has nothing to do with a particular user's access. CES has alerted its 
workforce to look in the CASPORT “Briefing” section for the NSA Establishment FISA entry and CES- 
controlled software is being updated regarding data access control. Additional details regarding this incident 
can be found in the “Unauthorized Access to Raw SIGINT” Annex, ANNEX P (Item P2) in SID’s 1QCY 12 IO 
Quarterly Report. 


(U) Report Content 
e Upcoming Initiatives 


(U//FOUO) During CY 12, SV plans to develop ‘score cards’ to capture and illustrate an organization's 
reported quarterly activities. SV plans to use this information during scheduled feedback sessions with SID 
reporting organizations to provide a detailed view into specific areas of high interest or concern arising from 
analyzing IO Quarterly Report metrics. 


e NSAW SID 1QCY12 IOQ Report Challenges: 


(U//FOUO) SV noted an overall improvement in timeliness regarding 1|QCY12 IO Quarterly Report 
submissions from the SID elements. SV received late submissions from SIGDEV Strategy & Governance 
(SSG) and SID/Deputy Directorate for Data Acquisition (S3), delaying SV’s preparation of the NSAW SID IO 
Quarterly Report. SV will continue to focus on outreach with SSG and S3 in order to ensure more complete 
and timely report submissions. 
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